Over the past month, we have observed several large spam campaigns with malicious HTML attachments. We believe the botnet behind these campaigns is Cutwail. Here is data we collected, starting from the first day of 2012, illustrating spikes of spam with malicious HTML attachments:
So what happens if the unsuspecting user opens the HTML attachment? Here is the HTML source code:
The landing page that contains the exploit code is a kit used by cybercriminals particularly for this spam campaign, the Phoenix Exploit kit. This exploit kit is readily available for cybercriminals to buy and use, all they need is their own webserver that can run PHP server scripts. The image shown below is the screenshot of the actual server’s “Phoenix Exploit’s Kit” admin page. The “—“ referrer in the statistics suggests that most visitors were NOT coming from another website but from the HTML files that the cybercriminals spammed out. It also shows over 4000 visitors, 15% of whom were successfully exploited.
Spammers tend to recycle spam campaign themes, sometimes adding different twists. So we expect more of these types of HTML attachment campaigns to come in the future.
M86 MailMarshal customers are protected against these spam campaigns, and M86 Secure Web Gateway customers are protected against the Phoenix Exploit kit.
Thanks to Daniel Chechik for the additional analysis and insight on the Phoenix kit.